False Negative with dependency-check-maven 3.3.2

[alainmoran]

In implementing the dependency-check-maven plugin for some of our projects we have found an occasion where it's possible that a false negative can occur with the maven plugin.

ie: the maven plugin misses a dependency that is picked up when pushing the jar file generated by the build through the command line.

In this case we have the following test dependancy

        <dependency>
            <groupId>com.fasterxml.jackson.jaxrs</groupId>
            <artifactId>jackson-jaxrs-json-provider</artifactId>
            <version>2.5.3</version>
            <scope>test</scope>
        </dependency>

Which is a vulnerable library, however since it is included as a test dependency it is ignored.

However we also have the following dependencies which are compiled

        <!-- metrics -->
        <dependency>
            <groupId>io.dropwizard.metrics</groupId>
            <artifactId>metrics-core</artifactId>
            <version>3.1.2</version>
            <exclusions>
                <exclusion>
                    <groupId>org.slf4j</groupId>
                    <artifactId>slf4j-api</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>io.dropwizard.metrics</groupId>
            <artifactId>metrics-servlets</artifactId>
            <version>3.1.2</version>
            <exclusions>
                <exclusion>
                    <groupId>org.slf4j</groupId>
                    <artifactId>slf4j-api</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>io.dropwizard.metrics</groupId>
            <artifactId>metrics-graphite</artifactId>
            <version>3.1.2</version>
            <exclusions>
                <exclusion>
                    <groupId>org.slf4j</groupId>
                    <artifactId>slf4j-api</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

this version of dropwizard includes the vulnerable 2.5.3 version of jackson

mvn dependency:tree -Dscope=compile -Dverbose=true

[INFO] +- io.dropwizard.metrics:metrics-servlets:jar:3.1.2:compile
[INFO] |  +- (io.dropwizard.metrics:metrics-core:jar:3.1.2:compile - omitted for duplicate)
[INFO] |  +- io.dropwizard.metrics:metrics-healthchecks:jar:3.1.2:compile
[INFO] |  +- io.dropwizard.metrics:metrics-json:jar:3.1.2:compile
[INFO] |  |  +- (io.dropwizard.metrics:metrics-core:jar:3.1.2:compile - omitted for duplicate)
[INFO] |  |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.5.3:compile - omitted for conflict with 2.4.2)
[INFO] |  +- io.dropwizard.metrics:metrics-jvm:jar:3.1.2:compile
[INFO] |  |  \- (io.dropwizard.metrics:metrics-core:jar:3.1.2:compile - omitted for duplicate)
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.4.2:compile
[INFO] |     +- com.fasterxml.jackson.core:jackson-annotations:jar:2.4.0:compile
[INFO] |     \- com.fasterxml.jackson.core:jackson-core:jar:2.4.2:compile
[INFO] \- io.dropwizard.metrics:metrics-graphite:jar:3.1.2:compile
[INFO]    \- (io.dropwizard.metrics:metrics-core:jar:3.1.2:compile - omitted for duplicate)

It appears that the maven plugin is ignoring the jackson included through dropwizard because it also matches a test dependency.

Setting skipTestScope false sort-of works around this, but also introduces other failures which actually come from test dependancies.

[jeremylong]

Thank you for finding and reporting this issue. I have a patch in final testing.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.